TechCrunch, a technology news website recently reported that the class action data privacy lawsuit initiated by a law graduate with sign-ups of around 25,000 against Facebook (or FB) in Austria had a preparatory hearing last 9 April 2015 in a regular court in that country.

As reported, the lawsuit targets the following “unlawful acts” on the part of Facebook, as the group sees it:

• Data use policy which is invalid under EU law
• The absence of effective consent to many types of data use
• Support of the NSA’s ‘PRISM’ surveillance programme
• Tracking of Internet users on external websites (e.g. through ‘Like buttons’)
• Monitoring and analysis of users through ‘big data’ systems
• Unlawful introduction of ‘Graph Search’
• Unauthorised passing on of user data to external applications

Given that we Filipinos are avid FB users and we actually just had a Data Privacy Act, Republic Act 10173, signed into law by Pres. Aquino III on August 15, 2012, it may be a useful exercise to assess FB’s privacy guidelines and compare it with what the law mandates.

This exploration is preliminary and informal, conscious that this kind of effort is a task that should be done by the NATIONAL PRIVACY COMMISSION, the mandated government agency (which unfortunately, according to Al Alegre of Foundation for Media Alternatives in Quezon City, has not yet been constituted by President Pnoy) created by the law to oversee these privacy-related concerns acting on any complaint that may be filed later by a Filipino FB user in Philippines.

Another caveat here is that howsoever may any privacy violation complaint would proceed, it should also hurdle the immediate threshold issue on SCOPE, whether FB or its operations, are part of what is specifically within the legal mandate of the law. Just the same, here are some of the ways in which the privacy rights of Filipinos under the said law may be violated by Facebook:

1) FB users are not informed whether personal information shall be, are being or have been processed.

This is one of the basic rights of the data subject (the person whose personal information is subjected to processing) under RA 10173 (sec. 16 [a]) which may seem to have been something that has been already consented to by an FB member when he or she had signed up. However, if one looks closely at the meaning of the word “processing” in the law, it says “any operations or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data”, the one item of processing that may be a source of violation is the item on “use” of data.

The “use” of data here can either be the use of FB user’s personal information by advertisers or by mass surveillance mechanisms similar to what was reported by Edward Snowden as the one being done by the US National Security Agency (NSA).

As to the advertisers, there is an “Adverts” button in the general SETTINGS page which if one clicks into, seems to leave to the FB user the decision on what to do or how his or personal information may be used, since it will all depend on the setting that the FB user will set.

The law however indicates three categories of information processing that includes information use that must be relayed to the data subject – “shall be”, “are being” and “have been”. Translating this to day-to-day dealings, this involves “potential”, “current” and “past” uses of information. This categorization of information use does not seem to have been provided by FB in the various modes of adverts and third party use of data in its Adverts button.

As to the mass surveillance aspect, it may be interesting to ask FB to disclose fully how it has cooperated with the NSA in a manner which may be violative of the Filipino FB user’s data privacy rights.

2) There is no information indicated in the PRIVACY SETTINGS as to the period for which the information provided by the FB user is stored by FB

As an FB user, I checked the Privacy Settings and Tools page and there the general headings show the major categories “Who can see my stuff”, “Who can contact me” and “Who can look me up” and nowhere is there indicated for how long FB will store the information lodged in FB.

It may be that FB may have that information in some other buttons, like in the Adverts or Apps button, but given that this right to have information as to the period for which the information will be stored is one of the basic rights of the data subject (meaning us, FB users), under this law, in sec. 16 (b)(7), then perhaps this should be highlighted prominently in the PRIVACY SETTINGS button.

3) Lack of clear transmissibility of the rights of the data subject in FB

When an FB user dies, who decides what to do with the FB user’s information? Perhaps these and other related conditions may have been already consented to by the FB user when they opened an account with FB. As for me who’s also a user of FB, I was not or did not take the effort to check this out, but in sec. 17 of RA 10173,

SEC. 17. Transmissibility of Rights of the Data Subject. – The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section.

What this provision states is that the rights of the data subject to his or her personal information after death can be passed on by way of succession (there is nothing else to be done except be a lawful heir of the data subject) or assignment (which can be by contract). This is something that may have been or should be provided for by FB, taking into account the provisions of RA 10173 that Filipinos are entitled to.

4) Potential breach of duties as to the security of personal information by the personal information controller, if FB may be deemed as such controller

The law mandates what is called a “personal information controller”, a person or organization who controls the collection, holding, processing or who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term according to sec. 3(h) of the law excludes:

(a) A person or organization who performs such functions as instructed by another person or organization and

(b) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.

If we go by the terms of what the law means by “personal information controller”, it may appear that FB, as such organization, is the one contemplated by law to have some specific duties as to the security of personal information as enumerated in sec. 20 and related provisions of the law. Among such duties which are relevant for FB users is to provide measures that will include a process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks and for taking preventive, corrective and mitigating actions against security incidents that can lead to a security breach.

Over-all, these are all potential and possible violations that may need to be looked closely into by avid Filipino FB users. If they feel strongly about this, then they can always petition or lodge complaints with the NATIONAL PRIVACY COMMISSION (of course, they should also ask Pnoy to constitute this Commission now) so that these concerns may be allayed. Debate on these issues is important to raise awareness that we Filipinos have data privacy rights under Republic Act 10173, and it is for us users not only of FB but other social media and who transact with government and other entities using our personal information, to be mindful how our data privacy rights are either enhanced, protected or diminished when we deal through these various media.